Merge "Introduce scope_types in os-hypervisors"

nova/policies/hypervisors.py

@@ -23,9 +23,9 @@ BASE_POLICY_NAME = 'os_compute_api:os-hypervisors'
 
 hypervisors_policies = [
     policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
+        name=BASE_POLICY_NAME,
-        base.RULE_ADMIN_API,
+        check_str=base.RULE_ADMIN_API,
-        """Policy rule for hypervisor related APIs.
+        description="""Policy rule for hypervisor related APIs.
 
 This rule will be checked for the following APIs:
 
@@ -35,7 +35,7 @@ show details for a hypervisor, show the uptime of a hypervisor,
 search hypervisor by hypervisor_hostname pattern and list all
 servers on hypervisors that can match the provided
 hypervisor_hostname pattern.""",
-        [
+        operations=[
             {
                 'path': '/os-hypervisors',
                 'method': 'GET'
@@ -65,7 +65,8 @@ hypervisor_hostname pattern.""",
                 '/os-hypervisors/{hypervisor_hostname_pattern}/servers',
                 'method': 'GET'
             }
-        ]
+        ],
+        scope_types=['system']
     ),
 ]
 

nova/tests/unit/policies/test_hypervisors.py

@@ -114,3 +114,17 @@ class HypervisorsScopeTypePolicyTest(HypervisorsPolicyTest):
     def setUp(self):
         super(HypervisorsScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to perform operations
+        # on hypervisors.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system-admin is not able to perform operations
+        # on hypervisors.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.project_admin_context,
+            self.system_foo_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]